The number of mobile users is rapidly growing and expected to cross 3 billion in next 3 years, according to Gartner. Mobile payments and financial services are going to be among the hottest mobile technology applications. Various communication channels – including SMS, Unstructured Supplementary Service Data (USSD) and IP-based communications – have security vulnerabilities. This will increasingly cause major security concerns among banks, telecom companies and service providers.
Critical threats such as fraudulent transactions, request/response manipulations, and insecure message communications are directly triggering revenue loss for mobile payment service providers. Sensitive information disclosure due to weak cryptographic implementation, improper account management, and modification of sensitive information may also cause security breaches and loss of sensitive data in USSD-based mobile payment applications.
Experts believe that more security breaches will be inevitable as mobile usage grows. Deploying secure, reliable and robust products is a challenging task since there are multiple channels involved to provide each service. Proper security controls must be an intrinsic part of mobile phones and mobile applications to avoid major business impacts including:
- Fraudulent transactions (Revenue Loss) through mobile applications
- Confidentiality (Users sensitive data- credit/debit card data, PIN , user credentials)
- Revenue loss through communications services misuse
- Brand value degradation through SIM card cloning and related attacks
- Misuse of enterprise data through personal handheld devices
- Fraudulent transactions through USSD and DSTK (Dynamic SIM Toolkit) applications
Unstructured Supplementary Service Data (USSD)
The USSD communication protocol is widely used to provide mobile communication services, location-based services, mapping services, recharge/booking services, and mobile payment and banking services. USSD is preferred over the SMS communication channel. In USSD, direct communication between the sender and recipient is established, which promotes faster data transmission. USSD communication is session-oriented and it is easily implementable while being more user-friendly. The USSD application is connected as interface between the customer’s telecom provider and his bank account. The customer can transact through handheld devices as well as in web-based applications (USSD in IP mode).
Top 5 Threats
USSD Commands Request/Response Tampering – A malicious user can tamper with USSD command requests and responses through hardware and software interceptors leading to fraudulent transactions. Weak encrypted request and response messages are prime concerns in such threat vectors.
USSD Request/Response Message Replay Attacks – When a phone is lost, an adversary may perform fraudulent transactions through an installed USSD application in absence of authenticating USSD request originator (e.g., by MSISDN, IMEI, PIN and unique Message Tracking ID).
USSD Application Prepaid Roaming Access Test – An adversary may cause direct revenue loss for service providers by using roaming access parameters manipulation and getting unauthorized access to USSD application prepaid roaming services.
Verify Strong Cryptographic Implementation – Weak cryptography implementation for critical data (customer number, card numbers, PIN, beneficiary details – account numbers, balance summary) can be tampered with, leading to fraudulent transactions.
Improper Data Validation (USSD IP Mode Applications) – Improper data validation in USSD IP mode application can lead to SQL injection, cross site scripting attacks. An adversary may purposely insert specifically crafted scripts in user input and may try to use the same to perform malicious actions at the database or at another user’s active session.
Best Practices to Secure USSD-Based Mobile Payment Applications
A systematic approach to assessing and remediating vulnerabilities in mobile applications is critical to ensuring secure payment transactions. The following practices can be helpful:
- Detailed and proactive security assessment helps the client ensure secure financial transactions through mobile payment client applications
- Mobile client application and mobile validation layers security are enhanced through a proactive approach during entire SDLC
- Detailed analysis of the security gaps against the security best practices benchmarks
- Threat modeling activity using the STRIDE/DREAD approach helps in identifying the application’s vulnerabilities
- Mapping identified vulnerabilities to threats brings about a clear understanding of security issues in the application and how they may be exploited
- Mapping vulnerabilities to flaws at the architecture and design levels helps prepare a comprehensive remediation plan identifies vulnerabilities in financial transactions, application residing on mobile device and sensitive data transmission over wireless network which automated tools may not detect.
Aujas can help your company manage mobile application risks. Contact Karl Kispert, our Vice President of Sales, to learn more. He can be reached at firstname.lastname@example.org or 201.633.4745.